before translation:
inside local (SRC-from-LAN) -> outside local (DST-from-LAN) [ROUTER-NAT]
after tranlation;
inside global (SRC-from-WAN) -> outside global (DST-from-WAN)
ip nat pool NAT-POOL 11.12.13.0 11.12.13.3 prefix-length N
Влияет:
маска НЕ ДАЕТ выдать адреса, которые получаются как адрес сети или адрес броадкаста данной подсети.
Пример: если есть кусочек под НАТ:
ip nat pool 1.1.1.7 1.1.1.8
то если написать /24, то все будет выдано, а если /29, то ничего не будет выдано
Key Points
* Configure DHCP in an Enterprise branch network. This includes being able to explain DHCP features and benefits, the differences between BOOTP and DHCP, DHCP operation: and configuring, verifying, and troubleshooting DHCP.
* Configure NAT on a Cisco router. This includes explaining key features and operation of NAT and NAT Overload, explaining advantages and disadvantages of NAT, configuring NAT and NAT Overload to conserve IP address space in a network, configuring port forwarding, and verifying and troubleshooting NAT configurations.
* Configure new generation RIP (RIPng) to use IPv6. This includes explaining how IPv6 solves any problem of IP address deletion, explaining how to assign IPv6 addresses, describing transition strategies for implementing IPv6 and configuring, verifying and troubleshooting RIPng for IPv6.
DHCP DHCP includes three different address allocation mechanism when assigning IP addresses:
- Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP only communicates the IP address to the device.
- Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device.
- Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address.
DHCP works in a client/server mode and operates like any other client/server relationship:
1) Client - DHCP DISCOVER L2/L3 broadcast -> Server
2) Server - DHCP OFFER unicast (L2) -> Client
3) Client - DHCP REQUEST (for lease origination and lease renewal) broadcast -> Server
4) Server - DHCP ACK unicast -> Client
Both DHCP and BOOTP (predecessor of DHCP) are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.
(config)# ip dhcp exlcuded-addresses low-address [high address]Verify:
( [high address] - (Optional) The last IP address in the excluded address range. )
(config)# ip dhcp pool poolname
(config-dhcp)# network network-number [mask | /prefix-length]
(config-dhcp)# default-router address [address2...address8]
(config-dhcp)# dns-server address [address2...address8]
(config-dhcp)# domain-name domain
(config-dhcp)# lease {days [hours] [minutes] | infinite}
(config-dhcp)# netbios-name-server address [address2...address8]
show ip dhcp bindingDHCP Relay - enables routers to forward DHCP broadcasts to the DHCP servers. When a router forwards address assignment/parameter requests, it is acting as a DHCP relay agent.
show ip dhcp pool
show ip dhcp server statistics
show ip dhcp conflict
ip helper-address dhcp-ip-addressCertain Windows clients have a feature called Automatic Private IP Addressing (APIPA). With this feature, a Windows computer can automatically assign itself an IP address in the 169.254.x.x range in the event that a DHCP server is not available or does not exist on the network.
UDP ports forwarded: 37, 49, 53, 67, 68, 69, 137, 138
ip forward-protocol additional ports
Private and Public IP addressing
All public Internet addresses must be registered with a Regional Internet Registry (RIR):
- ARIN - North America
- RIPE NCC - Europe and middle East
- APNIC - Asia and Oceania
- LACNIC - Latin America
- AfriNIC - Africa
RFC 1918 specifies that private addresses are not to be routed over the Internet ( "non-routable" ):
- class A 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
- class B 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
- class C 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
 |
| Cisco NAT |
NAT - save IP addresses by allowing networks to use private IP addresses:
- Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address (192.168.10.10).
- Inside global address - Valid public address that the inside host is given when it exits the NAT router. (209.165.200.226).
- Outside global address - Valid public IP address assigned to a host on the Internet ( all other addresses 209.165.201.1) .
- Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.
When you are trying to figure out the name for an IP address, Inside Local / Inside Global / Outside Local / Outside Global, just keep this in mind :
1: Local or Global refers to the current location of the packet.
2: Inside or Outside refers to the location of the device.
https://supportforums.cisco.com/docs/DOC-8526
NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses to a single public IP address or a few addresses. This is what most home routers do. Each private address is also tracked by a port number.
NAT generally only translates IP addresses on a 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. NAT overload modifies both the private IP address and port number of the sender. NAT overload chooses the port numbers seen by hosts on the public network.
NAT Benefits
Conserves the legally registered addressing scheme
Increases the flexibility of connections to the public network
Provides consistency for internal network addressing schemes.
Provides network security
NAT Drawbacks
Performance is degraded
End-to-end functionality is degraded
End-to-end IP traceability is lost
Tunneling is more complicated
Initiating TCP connections can be disrupted
Architectures need to be rebuilt to accommodate changes
Configure static NAT:
Router(config)#ip nat inside source static local-ip global-ipConfigure dynamic NAT:
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config)#interface type number
Router(config-if)#ip nat outside
Router(config)#ip nat pool name start-ip end-ip {netmask netmask|prefix-length prefix-length}Example:
! The netmask or prefix-length keyword indicates which address bits belong to the network and which bits belong to the host for the range of addresses.
Router(config)#access-list access-list-number permit source [source-wildcard]
(defines which addresses can be translated)
Router(config)#ip nat inside source list access-list-number pool name
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config)#interface type number
Router(config-if)#ip nat outside
ip nat pool NAT-POOL1 209.165.20.226 209.165.200.240 netmask 255.255.255.224
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool NAT-POOL1
int ser 0/0
ip nat outside
int fa 0/0
in nat inside
Port Forwarding
Ssometimes referred to as tunneling, is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside through a NAT-enabled router. www.portforward.com
ip nat inside source { static {tcp|udp local-ip local-port global-ip global-port} [extendable]Example
! extendable keywork - is applied automaticcaly. (allow users to configure several ambigous static translations - samelocal or global address.)
ip nat inside source statci tcp 192.168.10.254 80 209.165.200.225 8080
int ser 0/0
ip nat out
int fa 0/0
ip nat in
Example config NAT overload
!
ROUTER1(config)#interface fa0/0
ROUTER1(config-if)#ip nat inside
!
ROUTER1(config)#interface s0/0
ROUTER1(config-if)#ip nat outside
!
ROUTER1(config)#access-list 1 permit 192.168.6.64 0.0.0.63
ROUTER1(config)#ip nat pool myip 198.18.32.65 198.18.32.70 netmask 255.255.255.248
ROUTER1(config)#ip nat insi source list 1 pool myip overload
!
ROUTER1(config)#do sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 198.18.32.65:1 192.168.6.66:1 192.0.2.114:1 192.0.2.114:1
icmp 198.18.32.65:2 192.168.6.66:2 192.0.2.114:2 192.0.2.114:2
icmp 198.18.32.65:3 192.168.6.66:3 192.0.2.114:3 192.0.2.114:3
icmp 198.18.32.65:4 192.168.6.66:4 192.0.2.114:4 192.0.2.114:4
icmp 198.18.32.65:10 192.168.6.67:10 192.0.2.114:10 192.0.2.114:10
icmp 198.18.32.65:11 192.168.6.67:11 192.0.2.114:11 192.0.2.114:11
icmp 198.18.32.65:12 192.168.6.67:12 192.0.2.114:12 192.0.2.114:12
!
ROUTER1(config)#do sh ip nat statistics
Total translations: 87 (0 static, 87 dynamic, 87 extended)
Outside Interfaces: Serial0/1/0
Inside Interfaces: FastEthernet0/0
Hits: 440 Misses: 440
Expired translations: 353
Dynamic mappings:
-- Inside Source
access-list 1 pool myip refCount 87
pool myip: netmask 255.255.255.248
start 198.18.32.65 end 198.18.32.70
type generic, total addresses 6 , allocated 1 (16%), misses 0
!
Verify NAT commands
show ip nat translations
show ip nat translations verbose
show ip nat statistics
clear ip nat translation *
Other NAT Info
NAT Quick Facts (POSTER)
https://dl-web.dropbox.com/get/Public/CCNA/NAT.pdf?w=AACNJWKeJCTblLn1lVrSUeeH_0N7lPyZ9tJ1_q1Hex38Wg
NAT Lab in Packet Tracer
http://dl.dropbox.com/u/61785248/CCNA/LAB-CCNA-NAT-Sim.zip
The trouble with NAT @ cisco.com
- http://www.cisco.com/web/about/ac123/ac147/ac174/ac182/about_cisco_ipj_archive_article09186a00800c83ec.html
- http://en.wikipedia.org/wiki/Network_Address_and_Port_Translation
NAT main issue:
- Internet hosts may not initiate connections to hosts in NAT if there are no translation rule creted in NAT table.
NAT and FAST PATH:
IPv6
IPv6 basics + testing with Windows7 - http://sclabs.blogspot.com/2011/05/ipv6-basics.html
IPv4 address space provides approximately 4,294,967,296 unique addresses. Of these, only 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses.
IPv4: 4 octets
11000000.10101000.00001010.01100101
192.168.10.101
4,294,467,295 (2^32) IP addresses
IPv6: 16 octets
11010001.11011100.11001001.01110001.11011100.11001100.01110001.11010001.11011100.11001001. 11010001.11011100.11001001.01110001.00000010.11011110
A524:72D3:2C80:DD02:0029:EC7A:002B:EA73
3.4 x 10^38 IP addresses
IPv6 address is a 128-bit binary value, which can be displayed as 32 hexadecimal digits,
organized into 8 quartets if 4 hex digit separated by a colon ":"
IP prefix - a range of block of consecutive IPv6 addresses.
IPv6 features
Enhanced IP addressing
- Global reachability and flexibility
- Aggregation
- Multihoming
- Autoconfiguration
- Plug-and-play
- End-to-end without NAT
- Renumbering
Mobility and security
- Mobile IP RFC-compliant
- IPsec mandatory (or native) for IPv6
Simple header
- Routing efficiency
- Performance and forwarding rate scalability
- No broadcasts
- No checksums
- Extension headers
- Flow labels
Transition richness
- Dual-stack
- 6to4 and manual tunnels
- Translation
IPv6 Address Representation
- Leading zeros in a field are optional. For example, the field 09C0 equals 9C0, and the field 0000 equals 0. So 2031:0000:130F:0000:0000:09C0:876A:130B can be written as 2031:0:130F:0000:0000:9C0:876A:130B.
- Successive fields of zeros can be represented as two colons "::". However, this shorthand method can only be used once in an address. For example 2031:0:130F:0000:0000:9C0:876A:130B can be written as 2031:0:130F::9C0:876A:130B.
- An unspecified address is written as "::" because it contains only zeros.
The current global unicast address that is assigned by the IANA uses the range of addresses that start with binary value 001 (2000::/3), which is 1/8 of the total IPv6 address space and is the largest block of assigned addresses.
Reserved Addresses
The IETF reserves a portion of the IPv6 address space for various uses, both present and future. Reserved addresses represent 1/256th of the total IPv6 address space.
Private Addresses - never routed outside of a particular company network:
1) Site-local addresses, are addresses similar to the RFC 1918. In hexadecimal, site-local addresses begin with "FE" and then "C" to "F" for the third hexadecimal digit.
2) Link-local addresses - have a smaller scope than site-local addresses; they refer only to a particular physical link (physical network). Routers do not forward datagrams using link-local addresses at all, not even within the organization; they are only for local communication on a particular physical network segment. They are used for link communications such as automatic address configuration, neighbor discovery, and router discovery. Many IPv6 routing protocols also use link-local addresses. Link-local addresses begin with "FE" and then have a value from "8" to "B" for the third hexadecimal digit.
Loopback Address - in IPv6 there is just one address ( 0:0:0:0:0:0:0:1 or "::1" )
Every IPv6 interface contains at least 1 loopback address
Unspecified Address - it refers to the host itself, and is used when a device does not know its own address.
(0:0:0:0:0:0:0:0 or "::" )
0:0:0:0:0:0:0:0 (OR ::) src address then using stateful config (DHCP), equiv IPv4 0.0.0.0
0:0:0:0:0:0:0:1 (OR ::1) localhost, equiv IPv4 127.0.0.1
0:0:0:0:0:0:0:192.168.0.1 IPv4 add written in IPv4/IPv6 mixed netw enviroment
2000::/3 Global unicast range
FC00::/7 Unique local unicast range
FE80::/10 Link-local unicast range
FF00::/8 Multicast range
3FFF:FFFF::/32 Examples and documentation
2001:0DB8::/32 Examples and documentation
2002::/16 For 6to4 transition
IPv6 addresses use interface identifiers to identify interfaces on a link. Think of them as the host portion of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 address (MAC).
You can assign an IPv6 address ID statically or dynamically:
Static assignment using a manual interface ID
ipv6 address ipv6-address/prefix-lengthStatic assignment using an EUI-64 interface ID - configure the prefix (network) portion of the IPv6 address and derive the interface ID (host) portion from the Layer 2 MAC address of the device, which is known as the EUI-64 (Extended Universal Identifier) interface ID. (inserted FFFE between OUI and unique serial number of MAC address)
RouterX(config-if)#ipv6 address 2001:DB8:2222:7272::72/64
RouterX(config-if)# ipv6 address ipv6-prefix/prefix-length eui-64Stateless autoconfiguration - Autoconfiguration automatically configures the IPv6 address.
RouterX(config-if)# ipv6 address 2001:DB8:2222:7272::/64 eui-64
Enable plug-and-play networking of devices to help reduce administration overhead.
DHCP for IPv6 (DHCPv6) - DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6 nodes.
IPv6 Transition Strategies
Dual Stack - node has implementation and connectivity to both an IPv4 and IPv6 network.
Tunneling - is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4 (Includes a 20-byte IPv4 header with no options and an IPv6 header and payload).
a) Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers.
b) Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet.
c) Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) - Automatic overlay tunneling mechanism that uses the underlying IPv4 network as a link layer for IPv6.
d) Teredo tunneling - An IPv6 transition technology that provides host-to-host automatic tunneling instead of gateway tunneling.
e) NAT-Protocol Translation (NAT-PT)
Configure IPv6
RouterX(config)#ipv6 unicast-routingCisco IOS IPv6 Name Resolution: - static - Define a static name for an IPv6 address
RouterX(config-if)#ipv6 address ipv6prefix/prefix-length eui-64
RouterX(config)#ipv6 host name [port] ipv6addr [{ipv6addr} ...]- dinamic - Specify the DNS server used by the router
RouterX(config)#ipv6 host router1 3ffe:b00:ffff:b::1
RouterX(config)#ip name-server addressConfigure RIPng with IPv6
RouterX(config)#ip name-server 3ffe:b00:ffff:1::10
RouterX(config)#ipv6 router rip name
RouterX(config-if)#ipv6 rip name enable
Multicast IPv6
IPv6 Multicast Address Space Registry link
Node-Local Scope Multicast Addresses
FF01:0:0:0:0:0:0:1 All Nodes Address
FF01:0:0:0:0:0:0:2 All Routers Address
Link-Local Scope Multicast Addresses
FF02:0:0:0:0:0:0:1 All Nodes Address
FF02:0:0:0:0:0:0:2 All Routers Address
FF02:0:0:0:0:0:0:5 OSPF IGP
FF02:0:0:0:0:0:0:6 OSPF IGP Designated Routers
FF02:0:0:0:0:0:0:8 IS-IS for IPv6
FF02:0:0:0:0:0:0:9 RIP Routers
FF02:0:0:0:0:0:0:A EIGRP Routers
IPv6 Routing Protocols
* RIPng is enabled on each interface separately
Data link layers are supported by Cisco IOS for IPv6
- PPP
- Frame Relay PVC